Key Takeaways
What is VajraSpy?
ESET researchers discovered twelve Android espionage apps sharing the same malicious code. Six of these were on the Google Play store. All but one of the malicious apps masqueraded as a messaging tool, and the remaining app masqueraded as a news app. The affected apps include Privee Talk, YohooTalk, TikTalk, MeetMe, Let’s Chat, Quick Chat, Rafaqat, Chit Chat, Hello Chat, GlowChat, Nidus, and Wave Chat.
The apps covertly installed VajraSpy, a RAT, on the victim’s device. The apps were installed over 1400 times, and some are still available on unofficial app repositories. ESET researchers noted the threat actors likely used a honeytrap romance scam to trick victims into installing the malware.
VajraSpy has multiple capabilities, including stealing and exfiltrating contacts, files, call logs, device location, SMS messages, and WhatsApp and Signal messages. It can also record phone calls and take photos with the device’s camera. According to ESET, the threat actors used Firebase Hosting for C2.
ESET noted there were three different groups of trojanized apps. The first group included trojanized messaging apps with basic malicious functionality.
The second group included trojanized messaging apps with advanced functionality. In addition to basic malicious functions, the second group was also capable of exploiting built-in accessibility options to intercept WhatsApp and Signal messages and notifications. One of these apps, Wave Chat, also included the options to record phone calls, record messaging app calls, log keystrokes, take photos, record audio, and scan for WiFi networks.
The third group of applications included the one non-messaging application, Rafaqat, which was a news app. This app had the most limited malicious capabilities of the three groups. It can only intercept notifications and exfiltrate contacts and certain file types.
Who is Patchwork?
Patchwork, also known as Hangover Group, Dropping Elephant, Chinastrats, MONSOON, Sarit, Quilted Tiger, APT-C-09, ZINC EMERSON, and Operation Hangover, is an India nexus APT group known to engage in espionage operations. The group has been active since at least 2015.
Patchwork is known to target diplomatic and government entities, including entities in Pakistan, China, Sri Lanka, Uruguay, Bangladesh, Taiwan, Australia, and the US. Some of their victims have included Pakistan's Ministry of Defense, National Defence University of Islamabad, Faculty of Bio-Sciences at UVAS Lahore, International Center for Chemical and Biological Sciences (ICCBS), H.E.J. Research Institute of Chemistry, Salim Habib University (SBU), and US think tanks.
Patchwork TTPs include but are not limited to spearphishing, RDP for lateral movement, watering hole attacks, AutoIt backdoor, BackConfig, BADNEWS, NDiskMonitor, PowerSploit, QasarRAT, and TINYTYPHON.
While Patchwork is considered an advanced persistent threat, they have made mistakes in the past. In late 2021, the threat actors accidentally infected some of their own machines with BADNEWS RAT. This mistake allowed industry researchers to obtain keystrokes and screenshots from the threat actor group’s own systems.
IOCs
PolySwarm has multiple samples of VajraSpy.
64b2a100e8ca305d7362eeb4858694156d676989b8c6d6d8d01cdebe84dafc7b
9115408ab7227f30cb6d3f785c208377b31da208171def1c3ec4d81c6f833585
Ba9aeb87025ba26e7a54fe38f97bf28b72b1dac069e9fa6624a195a599c4b0ae
C06f8c3fd23ae7124cc06eb63c0411418715bf99d3c9fa66525790b2b4c61858
C547fc04afad7538be1c638019867145dabf630afc2eba1ece7f972892598a65
2fdb7c4430660cb49547ac2828a631810d4e3d245a6501ce00825faa169cb7d0
You can use the following CLI command to search for all VajraSpy samples in our portal:
$ polyswarm link list -f VajraSpy
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.